2010-05-15
Many of the tools we use every day include various security features. However, often the best features are disabled by default for various reasons, be they performance, compatibility issues, or whatever.
Data Execution Prevention, or DEP, is a technology found in every modern operating system designed to halt common types of security exploits dealing with memory buffers. DEP has been around since Windows XP, but even in Windows 7 it is nerfed by default.
To fix this, visit your Control Panel, then System or System and Security then System, depending on your version of Windows. Select the Advanced tab, or Advanced System Settings on the left menu in Vista/7. Under the Performance area hit the Settings… button, then finally select the Data Execution Prevention tab.
The first thing to note is at the bottom you’ll be informed if your computer supports hardware DEP, which is good (this means much better security) or software DEP. If your system doesn’t support hardware DEP there’s nothing you can do short of upgrading your CPU (and possibly other required components).
- Windows’ Data Execution Prevention Interface
You only have two options here. By default Windows turns DEP on “for essential Windows programs and services only” which is a good start, but DEP is a great thing to have running all the time, especially on threat facing applications like your web browser, email client, etc. DEP isn’t enabled for everything by default for backwards compatibility issues, and in fact, if you run a lot of older programs you may have issues with them. Luckily Windows will give you a popup telling you if an app has been killed by DEP, in which case you can return to this menu, hit the Add… button, and exclude any problematic legitimate programs. In the past two years of running DEP constantly I haven’t had a single problem; so don’t worry too much.
Anyways, select “Turn on DEP for all programs and services except those I select:”, hit OK twice, and reboot. After coming back up rest easier knowing your system is now scrutinizing everything running for buffer overflows, and in two minutes you’ve drastically increased the resilience of your computer against exploits.
This entry was initially on my former blog, LearnToHack.org, which I no longer maintain.
But what if my computer doesn’t support hardwares based on DEP .If I turn it on will it still be working corectly and will it give me the security I need ?? Please answer!!!
Enabling DEP in software mode will function fine. However, it’s not “true” DEP, so the increase in security you gain will not be anywhere near as significant as if your CPU supported hardware DEP. Either way, flip it on and you’ll be better off than you were.